Malware-Driven Child Porn Raises Red Flag

Massachusetts case demonstrates how malware can poison more than a machine

Jun 16, 2008 | 10:00 AM

By Kelly Jackson HigginsDarkReading

What if you unknowingly harbored child pornography on your work laptop? A child pornography possession charge against a former Massachusetts state government employee has been dropped after forensic evidence showed that his machine was infected with various forms of malware that silently drove his browser to the unsavory sites and files.

The case of Massachusetts Department of Industrial Accidents investigator Michael Fiola has some chilling ramifications for unwitting, innocent users whose machines may be hiding incriminating evidence that could be used against them.

Fiola lost his job and friends, and suffered a major blow to his reputation during the investigation that began after he was fired in March 2007 after IT found traces of child pornography on his laptop. IT got suspicious after noting that his wireless usage was four times more than that of his co-workers. His case was dropped before making it to court, after forensic experts found that the child porn traffic and files were driven by malware on his agency-issued laptop.

Fiola’s case has raised concern among security experts, who say while his situation was extreme, it should be a wakeup call to users, in-house IT investigators, and law enforcement. Charges such as child pornography should be verified through other means besides the computer itself, notes Jeremiah Grossman, CTO of WhiteHat Security.

“There’s no way that users nowadays are able to successfully defend their machine from being compromised. There’s just no way,” Grossman says. “Real Websites are getting laced with malware... It’s almost impossible to defend your browser. You could do everything right and it won’t matter.”

Fiola, 53, who family and others say was no technophile, was in the worst-possible situation: His IT department issued him the machine in November 2006 after his previous laptop was stolen, but apparently it wasn’t properly configured for the agency’s server-based software and security maintenance. Plus, the Symantec Corporate Edition antivirus software on the laptop was never operating correctly while Fiola used the machine.

“For three-and-a-half months, IT never once communicated with that laptop, so it had nothing to monitor or maintain it,” says Tami Loehrs, the forensic expert who investigated Fiola’s laptop and concluded that there was no evidence he had engaged in the activity nor knew the files were on his machine.

Loehrs, who is president of Law2000, says she found just about “everything” when it came to malware on Fiola’s laptop. “I even found a script file running its own searches. There were Trojans opening the computer to be hacked, viruses redirecting Websites and bringing up porn Websites,” she says.

“You could see him logging in to do work and all of a sudden, a porn image would appear,” Loehrs says. “They would just start appearing only because he had opened his laptop and he was now connected to the outside.”

There were no signs of Fiola himself actually typing in a URL to one of the sites or directing his browser there. Instead, the malware on his machine as well as a possible remote attacker were doing the dirty work and storing cached images of child porn, according to Loehrs. Another indication of Fiola’s innocence, according to Loehrs, was that there were no files actually stored on his computer, which true child porn criminals typically do. “All of the files were cached in his temporary Internet files” in his browser, she says. “We would log into his work Website... and things would appear on his temporary Internet cache.”

Loehrs -- who was hired by Fiola and his wife to help exonerate him -- also found evidence that an attacker had also directly hacked into Fiola’s machine. “It looked like a young guy looking for MySpace stuff, social studies (type) things,” she says. “But I don’t know if it was someone at the IT department [investigating].”

Fiola may have previously reported some strange behavior on his machine, she says, but nothing that led to the discovery of the porn or malware by IT.

Cases like Fiola’s -- where an infected machine leads to an assumption of the user’s guilt -- are becoming all too common, experts say. Much of this has to do with the technical knowledge gap in the mainstream, they say. It’s not the same as when someone gets arrested for possession of drugs in their vehicle: “I’ve seen this before,” says Alex Eckelberry, CTO of Sunbelt Software. “A completely innocent guy gets caught up with this mentality... a forensic investigator who didn’t know what he was doing, or had a lack of the technical concepts.”

Eckelberry says even a user surfing legitimate content with sexual content, for instance, could get swept up in such a case. “That happens a lot... they get infected with malware” from a sketchy site, he says.

The flip side, of course, are the true child pornography criminals who abuse “the computer virus did it” defense. “While that is possible, there have been cases I've read of where forensic examiners were able to prove the individual put the malware on their computer intentionally in anticipation of using it as a defense when they got caught,” says James Wingate, director of the steganography analysis & research center at Backbone Security.

“I think the message in this is that employees should not use a computer they know has been used by someone else without some sort of assurance, preferably in writing, that the IT dept has properly sanitized the computer... low-level format, reload OS and applications, etc.,” Wingate says. “And they should make sure the AV is on and operating properly. The problem is that employees [who are] not computer literate have no way to [do this] without going to an outside expert for verification.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly,send us a message.